一种基于RISC-V处理器的联合侧信道和瞬态执行攻击方案

IF 6.8 2区 计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS Computers & Security Pub Date : 2025-03-01 Epub Date: 2024-12-26 DOI:10.1016/j.cose.2024.104297
Renhai Dong , Baojiang Cui , Yi Sun , Jun Yang
{"title":"一种基于RISC-V处理器的联合侧信道和瞬态执行攻击方案","authors":"Renhai Dong ,&nbsp;Baojiang Cui ,&nbsp;Yi Sun ,&nbsp;Jun Yang","doi":"10.1016/j.cose.2024.104297","DOIUrl":null,"url":null,"abstract":"<div><div>The escalating progress of RISC-V processors in both academic and industrial realms has drawn significant attention to its open-source Instruction Set Architecture (ISA) and microarchitecture. Nevertheless, the growing threat of microarchitecture transient execution attacks in recent years has posed a severe challenge to the design of processors. Some studies have proposed that the RISC-V microarchitecture still has some flaws from the perspective of transient execution and pointed out the attack surface, which results in the RISC-V processor being unable to ensure integrated circuit and system security at the microarchitecture level.</div><div>In this paper, we systematically examine RISC-V microarchitecture security issues and put forward a combined side-channel and transient execution attack scheme. The proposed attack scheme comprehensively analyzes cache security, timing side-channel attacks, and Physical Memory Protection (PMP) across diverse microarchitectures. Not surprisingly, we discover an unknown transient execution flaw by PMP security analysis. Moreover, we introduce 4 transient execution attack primitives exploiting microarchitectural speculative execution flaws and PMP transient execution to bypass data protection and privilege isolation which allow attackers to illegally access sensitive data on the microarchitectures and break the PMP rule-based memory isolation scheme. Experimental results demonstrate that the attack scheme on 6 real-world RISC-V processors achieves a high level of accuracy, successfully attacking 6 microarchitectures with approximately 97.52%. The scheme completes 1,000 attacks in less 60 s which leaks about 2,500 bits, showcasing an average efficiency improvement of 34.17% over the state-of-the-art tool. The attack can successfully retrieve the cryptographic keys, rendering this attack applicable in practical scenarios. Finally, we propose several countermeasures to defend against the attack. We reported CVE and CNNVD vulnerabilities and both are confirmed by the developers for security’s sake.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104297"},"PeriodicalIF":6.8000,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"A combined side-channel and transient execution attack scheme on RISC-V processors\",\"authors\":\"Renhai Dong ,&nbsp;Baojiang Cui ,&nbsp;Yi Sun ,&nbsp;Jun Yang\",\"doi\":\"10.1016/j.cose.2024.104297\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>The escalating progress of RISC-V processors in both academic and industrial realms has drawn significant attention to its open-source Instruction Set Architecture (ISA) and microarchitecture. Nevertheless, the growing threat of microarchitecture transient execution attacks in recent years has posed a severe challenge to the design of processors. Some studies have proposed that the RISC-V microarchitecture still has some flaws from the perspective of transient execution and pointed out the attack surface, which results in the RISC-V processor being unable to ensure integrated circuit and system security at the microarchitecture level.</div><div>In this paper, we systematically examine RISC-V microarchitecture security issues and put forward a combined side-channel and transient execution attack scheme. The proposed attack scheme comprehensively analyzes cache security, timing side-channel attacks, and Physical Memory Protection (PMP) across diverse microarchitectures. Not surprisingly, we discover an unknown transient execution flaw by PMP security analysis. Moreover, we introduce 4 transient execution attack primitives exploiting microarchitectural speculative execution flaws and PMP transient execution to bypass data protection and privilege isolation which allow attackers to illegally access sensitive data on the microarchitectures and break the PMP rule-based memory isolation scheme. Experimental results demonstrate that the attack scheme on 6 real-world RISC-V processors achieves a high level of accuracy, successfully attacking 6 microarchitectures with approximately 97.52%. The scheme completes 1,000 attacks in less 60 s which leaks about 2,500 bits, showcasing an average efficiency improvement of 34.17% over the state-of-the-art tool. The attack can successfully retrieve the cryptographic keys, rendering this attack applicable in practical scenarios. Finally, we propose several countermeasures to defend against the attack. We reported CVE and CNNVD vulnerabilities and both are confirmed by the developers for security’s sake.</div></div>\",\"PeriodicalId\":51004,\"journal\":{\"name\":\"Computers & Security\",\"volume\":\"150 \",\"pages\":\"Article 104297\"},\"PeriodicalIF\":6.8000,\"publicationDate\":\"2025-03-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Computers & Security\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0167404824006035\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"2024/12/26 0:00:00\",\"PubModel\":\"Epub\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404824006035","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"2024/12/26 0:00:00","PubModel":"Epub","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

摘要

RISC-V处理器在学术和工业领域的不断发展引起了人们对其开源指令集架构(ISA)和微架构的极大关注。然而,近年来微架构瞬态执行攻击的威胁日益严重,对处理器的设计提出了严峻的挑战。有研究从暂态执行的角度提出RISC-V微架构还存在一些缺陷,并指出了攻击面,导致RISC-V处理器无法在微架构层面保证集成电路和系统的安全。本文系统地研究了RISC-V微架构的安全问题,提出了一种侧信道与瞬态执行相结合的攻击方案。提出的攻击方案综合分析了不同微架构下的缓存安全性、定时侧信道攻击和物理内存保护(PMP)。不出所料,我们通过PMP安全分析发现了一个未知的瞬态执行缺陷。此外,我们引入了4种瞬态执行攻击原语,利用微架构推测执行缺陷和PMP瞬态执行绕过数据保护和特权隔离,允许攻击者非法访问微架构上的敏感数据并破坏基于PMP规则的内存隔离方案。实验结果表明,该攻击方案在6个真实RISC-V处理器上达到了较高的准确率,成功攻击了6个微架构,准确率约为97.52%。该方案在不到60秒的时间内完成了1000次攻击,泄漏了大约2500比特,比最先进的工具平均效率提高了34.17%。攻击者可以成功检索到加密密钥,具有实际应用价值。最后,提出了防范攻击的几点对策。我们报告了CVE和CNNVD漏洞,出于安全考虑,两者都得到了开发人员的确认。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
A combined side-channel and transient execution attack scheme on RISC-V processors
The escalating progress of RISC-V processors in both academic and industrial realms has drawn significant attention to its open-source Instruction Set Architecture (ISA) and microarchitecture. Nevertheless, the growing threat of microarchitecture transient execution attacks in recent years has posed a severe challenge to the design of processors. Some studies have proposed that the RISC-V microarchitecture still has some flaws from the perspective of transient execution and pointed out the attack surface, which results in the RISC-V processor being unable to ensure integrated circuit and system security at the microarchitecture level.
In this paper, we systematically examine RISC-V microarchitecture security issues and put forward a combined side-channel and transient execution attack scheme. The proposed attack scheme comprehensively analyzes cache security, timing side-channel attacks, and Physical Memory Protection (PMP) across diverse microarchitectures. Not surprisingly, we discover an unknown transient execution flaw by PMP security analysis. Moreover, we introduce 4 transient execution attack primitives exploiting microarchitectural speculative execution flaws and PMP transient execution to bypass data protection and privilege isolation which allow attackers to illegally access sensitive data on the microarchitectures and break the PMP rule-based memory isolation scheme. Experimental results demonstrate that the attack scheme on 6 real-world RISC-V processors achieves a high level of accuracy, successfully attacking 6 microarchitectures with approximately 97.52%. The scheme completes 1,000 attacks in less 60 s which leaks about 2,500 bits, showcasing an average efficiency improvement of 34.17% over the state-of-the-art tool. The attack can successfully retrieve the cryptographic keys, rendering this attack applicable in practical scenarios. Finally, we propose several countermeasures to defend against the attack. We reported CVE and CNNVD vulnerabilities and both are confirmed by the developers for security’s sake.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
Computers & Security
Computers & Security 工程技术-计算机:信息系统
CiteScore
12.40
自引率
7.10%
发文量
365
审稿时长
10.7 months
期刊介绍: Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.
期刊最新文献
A Multi-Frequency Temporal Spatio-Transformer for adversarially robust IoT intrusion detection Debapt: Ontology-driven multi-agent debate for APT adversary profile construction from cyber threat intelligence CoolTest: Randomness test suited for small data volumes ODHD: On-Demand Helper Data generation for reliable NVM-free key derivation from SRAM PUF From Systematic Threat Search to pentesting: Industrial Control Systems threat models
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:604180095
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1